Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


pomtom44

94 posts

Master Geek


#260028 7-Nov-2019 12:12
Send private message

HI all

Bit of a technical one so hoping I can get some help here

 

I have a OpenVPN server running at home, and I have it working from my laptop, just not my phone.

 

I have my laptop (windows 10) and android (one plus) connected to the same WiFi (Friends network)

 

My laptop I can browse to both internal services (NAS and Dev web server) and external websites (Google showing public IP as my home's IP)

 

My phone I can get internal services, but not external ones

 

I can see the traffic from my phone on my firewall leaving to the internet, but I can't get detailed enough logging to see w hats coming back
(I could try find a w ay to get logging if needed)

 

Im a little lost as the only difference between these is windows vs android, the routing and networks are exactly the same otherwise, so im not sure why its not working as i expect it to

any help would be appreciated.

 

 

 

For reference:
Server: Ubuntu 16.04
VPN IP Range 10.10.101.x
VPN VLAN 10.10.100.x
Static route pointing 10.10.101.x to server IP on 100 network

 

Laptop Windows 10
Phone andriod / one plus 5


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2

mdf

mdf
2683 posts

Uber Geek

Trusted
Subscriber

  #2349452 7-Nov-2019 13:40
Send private message

How have you got DNS configured on laptop vs phone vs server?


pomtom44

94 posts

Master Geek


  #2349455 7-Nov-2019 13:55
Send private message

mdf:

 

How have you got DNS configured on laptop vs phone vs server?

 

 



For the guest lan
Laptop + phone both using router for dns 

Server is using a internal PiHole for DNS

VPN pushes the same PiHole IP to all clients


 
 
 
 


mdf

mdf
2683 posts

Uber Geek

Trusted
Subscriber

  #2350079 8-Nov-2019 10:43
Send private message

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole? 


pomtom44

94 posts

Master Geek


  #2350107 8-Nov-2019 11:14
Send private message

mdf:

 

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole? 

 

 

 

 

I did a packet capture on my router and I can see DNS traffic from my phone going to the pihole, but no web traffic hitting the router.
so unless android is rejecting these requests or its being blocked somewhere else?

Im going to do a pcap at every step along the path and see if I can see where the traffic is being blocked


mdf

mdf
2683 posts

Uber Geek

Trusted
Subscriber

  #2350109 8-Nov-2019 11:32
Send private message

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem. 


pomtom44

94 posts

Master Geek


  #2350112 8-Nov-2019 11:53
Send private message

mdf:

 

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem. 

 



Interesting, your right, Changing the DNS to 8.8.8.8 worked fine, but setting it to go though the pihole doesnt.

 

So now the question is why?

It works fine on my PC, and it works fine on my phone when im at home, just not when im going through the VPN?

 

so it has to be a openvpn android issue with local dns?


mdf

mdf
2683 posts

Uber Geek

Trusted
Subscriber

  #2350183 8-Nov-2019 13:05
Send private message

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.


 
 
 
 


pomtom44

94 posts

Master Geek


  #2350188 8-Nov-2019 13:26
Send private message

mdf:

 

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.

 



Unifi USG
I have external DNS blocked at firewall level, and internal dns set via DHCP for usual clients (and via openvpn config for VPN clients)

I did some tests from my windows PC and I think I can see where the problem is now
The windows PC still seems to be using the local DNS for resolving IP's where andriod seems to be using the remote DNS (Client side)

So windows gets the IP of the server then sends the traffic down the VPN, where andriod is trying to get the IP down the VPN first.
Must be a problem with my PiHole and routing down the VPN. 

So two problems now
1) How to force all traffic down the vpn from windows
2) How to allow PiHole to route DNS back down the VPN



muppet
2297 posts

Uber Geek

Trusted

  #2350189 8-Nov-2019 13:26
Send private message

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.


pomtom44

94 posts

Master Geek


  #2350190 8-Nov-2019 13:29
Send private message

muppet:

 

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.

 

 

 

 

I have a static route already on my router pointing to the VPN server
I just dont think that the DNS server is using that route?

 

I also tried setting up the VPN on my router, but had issues with it, (cant remember as it was a while ago)
I could look at trying it again though

 

 

 

 


pomtom44

94 posts

Master Geek


  #2350203 8-Nov-2019 13:32
Send private message

muppet:

 

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.

 



I remembered why I didn't use the USG as the VPN
I can't do static IP assignments per device
I can with OpenVPN
Hence running the VPN on a server rather than the router

 

 

 

 


muppet
2297 posts

Uber Geek

Trusted

  #2350204 8-Nov-2019 13:33
Send private message

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

 

That's because:

 

 

 

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

 

But the RETURN traffic is

 

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

 

 

 

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

 

Again, the better fix is to put the route on the pihole, not the router.  That way the router never sees the traffic.


pomtom44

94 posts

Master Geek


  #2350206 8-Nov-2019 13:36
Send private message

muppet:

 

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

 

That's because:

 

 

 

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

 

But the RETURN traffic is

 

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

 

 

 

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

 

Again, the better fix is to put the route on the pihole, not the router.  That way the router never sees the traffic.

 



The DNS has to go though the router as my DNS server is on a different VLAN to the VPN server
So I can put the route on the DNS server but it still has to go though the router in order to reach the VPN server.


muppet
2297 posts

Uber Geek

Trusted

  #2350207 8-Nov-2019 13:39
Send private message

Well if that's the case and everything is routing via the router correctly, it doesn't sound like what I said applies.

 

Can you ping your pihole when your VPN is connected?


pomtom44

94 posts

Master Geek


  #2350209 8-Nov-2019 13:44
Send private message

To make it easier, heres my network

192.168.99.40 - DNS / PiHole
10.10.100.2 - OpenVPN server
10.10.101.x - OpenVPN Network
(Vlan is a /23 for OpenVPN stuff) 

Static route for 10.10.101.0 to 10.10.100.2

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.